X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/5d066a8a35324c0291594563e8413fc11fd71456..1bc8da5f3a3bfd6c3f0ba374f12d489d13831460:/cookbooks/tile/templates/default/apache.erb?ds=inline diff --git a/cookbooks/tile/templates/default/apache.erb b/cookbooks/tile/templates/default/apache.erb index ac4ba8f12..9652ec825 100644 --- a/cookbooks/tile/templates/default/apache.erb +++ b/cookbooks/tile/templates/default/apache.erb @@ -1,57 +1,136 @@ # DO NOT EDIT - This file is being maintained by Chef - + # Basic server configuration - ServerName <%= node[:fqdn] %> + ServerName <%= node.name %> ServerAlias tile.openstreetmap.org - ServerAlias parent.tile.openstreetmap.org + ServerAlias render.openstreetmap.org ServerAdmin webmaster@openstreetmap.org + # + # Enable SSL + # + SSLEngine on + SSLProxyEngine on + SSLCertificateFile /etc/ssl/certs/<%= node[:fqdn] %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= node[:fqdn] %>.key + # Configure location of static files and CGI scripts DocumentRoot /srv/tile.openstreetmap.org/html ScriptAlias /cgi-bin/ /srv/tile.openstreetmap.org/cgi-bin/ # Get the real remote IP for requests via a trusted proxy - RemoteIPHeader X-Forwarded-For -<% @caches.each do |cache| -%> -<% cache.ipaddresses(:role => :external).sort.each do |address| -%> + RemoteIPHeader Fastly-Client-IP +<% @fastly.sort.each do |address| -%> RemoteIPTrustedProxy <%= address %> -<% end -%> <% end -%> # Setup logging - CustomLog /var/log/apache2/access.log combined + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip + CustomLog /var/log/apache2/access.log combined_with_remoteip ErrorLog /var/log/apache2/error.log BufferedLogs on - #Set Access-Control-Allow-Origin header to allow Cross-origin resource sharing (CORS) + # Always set Access-Control-Allow-Origin so that simple CORS requests + # will always work and can be cached Header set Access-Control-Allow-Origin "*" + # Add diagnostics header to identify render server + Header set X-TileRender "<%= node.name %>" + + # Tell clients to use stale tiles if necessary + Header append Cache-Control "stale-while-revalidate=604800, stale-if-error=604800" "expr=%{CONTENT_TYPE} == 'image/png'" + + # Remove Proxy request header to mitigate https://httpoxy.org/ + RequestHeader unset Proxy early + # Enable the rewrite engine RewriteEngine on # Rewrite tile requests to the default style - RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L] - RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L] - RewriteRule ^/(-?\d+)/(-?\d+)/(-?\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L] + RewriteRule ^/(\d+)/(\d+)/(\d+)\.png$ /default/$1/$2/$3.png [PT,T=image/png,L] + RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/status/?$ /default/$1/$2/$3.png/status [PT,T=text/plain,L] + RewriteRule ^/(\d+)/(\d+)/(\d+)\.png/dirty/?$ /default/$1/$2/$3.png/dirty [PT,T=text/plain,L] # Historical Files redirect - Redirect /processed_p.tar.bz2 http://planet.openstreetmap.org/historical-shapefiles/processed_p.tar.bz2 - Redirect /shoreline_300.tar.bz2 http://planet.openstreetmap.org/historical-shapefiles/shoreline_300.tar.bz2 - Redirect /world_boundaries-spherical.tgz http://planet.openstreetmap.org/historical-shapefiles/world_boundaries-spherical.tgz + RedirectPermanent /processed_p.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/ + RedirectPermanent /shoreline_300.tar.bz2 https://planet.openstreetmap.org/historical-shapefiles/ + RedirectPermanent /world_boundaries-spherical.tgz https://planet.openstreetmap.org/historical-shapefiles/ + + # Redirect ACME certificate challenges + RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ + + # Restrict tile access to CDN nodes and admins + + Require expr "%{CONN_REMOTE_ADDR} != %{REMOTE_ADDR}" + # Fastly POPs +<% @fastly.sort.each do |address| -%> + Require ip <%= address %> +<% end -%> + # StatusCake monitoring +<% @statuscake.sort.reject { |address| address.empty? }.each do |address| -%> + Require ip <%= address %> +<% end -%> + # Administrators +<% @admins.sort.each do |address| -%> + Require ip <%= address %> +<% end -%> + # OSM Amsterdam IPv4 + Require ip 184.104.179.128/27 + # OSM Amsterdam IPv6 + Require ip 2001:470:1:fa1::/64 + # OSM Dublin IPv4 + Require ip 184.104.226.96/27 + # OSM Dublin IPv6 + Require ip 2001:470:1:b3b::/64 + # OSM UCL IPv4 + Require ip 193.60.236.0/24 + + + + + # Basic server configuration + ServerName <%= node.name %> + ServerAlias tile.openstreetmap.org + ServerAlias render.openstreetmap.org + ServerAdmin webmaster@openstreetmap.org + + # Setup logging + LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_with_remoteip + CustomLog /var/log/apache2/access.log combined_with_remoteip + ErrorLog /var/log/apache2/error.log + BufferedLogs on + + # Always set Access-Control-Allow-Origin so that simple CORS requests + # will always work and can be cached + Header set Access-Control-Allow-Origin "*" + + # Add diagnostics header to identify render server + Header set X-TileRender "<%= node.name %>" + + # Remove Proxy request header to mitigate https://httpoxy.org/ + RequestHeader unset Proxy early + + # Enable the rewrite engine + RewriteEngine on + + # Redirect ACME certificate challenges + RewriteRule ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 [R=permanent,L] + # Redirect to https + RewriteCond %{REQUEST_URI} !^/server-status$ + RewriteCond %{REQUEST_URI} !^/mod_tile$ + RewriteRule (.*) https://%{SERVER_NAME}/$1 [R=permanent,L] Options None AllowOverride None - Order allow,deny - Allow from all + Require all granted Options ExecCGI AllowOverride None - Order allow,deny - Allow from all + Require all granted